public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix tests broken due to the firewall being enabled by default

Browse Source
This commit is contained in:
Eelco Dolstra 2014-04-11 17:15:56 +02:00
parent 017408e048
commit 13185280fe
16 changed files with 52 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nixos/modules/services/continuous-integration/jenkins/default.nix
View File

@ -43,7 +43,7 @@ in {
default = 8080; default = 8080;
type = types.uniq types.int; type = types.uniq types.int;
description = '' description = ''
Specifies port number on which the jenkins HTTP interface listens. The default is 8080 Specifies port number on which the jenkins HTTP interface listens. The default is 8080.
''; '';
}; };

4
nixos/modules/services/networking/avahi-daemon.nix
View File

@ -142,6 +142,10 @@ in
services.dbus.enable = true; services.dbus.enable = true;
services.dbus.packages = [avahi]; services.dbus.packages = [avahi];
# Enabling Avahi without exposing it in the firewall doesn't make
# sense.
networking.firewall.allowedUDPPorts = [ 5353 ];
}; };
} }

8
nixos/tests/bittorrent.nix
View File

@ -33,6 +33,8 @@ in
services.httpd.enable = true; services.httpd.enable = true;
services.httpd.adminAddr = "foo@example.org"; services.httpd.adminAddr = "foo@example.org";
services.httpd.documentRoot = "/tmp"; services.httpd.documentRoot = "/tmp";
networking.firewall.enable = false; # FIXME: figure out what ports we actually need
}; };
router = router =
@ -50,11 +52,13 @@ in
virtualisation.vlans = [ 2 ]; virtualisation.vlans = [ 2 ];
networking.defaultGateway = networking.defaultGateway =
nodes.router.config.networking.interfaces.eth2.ipAddress; nodes.router.config.networking.interfaces.eth2.ipAddress;
networking.firewall.enable = false;
}; };
client2 = client2 =
{ config, pkgs, ... }: { config, pkgs, ... }:
{ environment.systemPackages = [ pkgs.transmission ]; { environment.systemPackages = [ pkgs.transmission ];
networking.firewall.enable = false;
}; };
}; };
@ -66,8 +70,8 @@ in
# Enable NAT on the router and start miniupnpd. # Enable NAT on the router and start miniupnpd.
$router->waitForUnit("nat"); $router->waitForUnit("nat");
$router->succeed( $router->succeed(
"iptables -t nat -N MINIUPNPD", "iptables -w -t nat -N MINIUPNPD",
"iptables -t nat -A PREROUTING -i eth1 -j MINIUPNPD", "iptables -w -t nat -A PREROUTING -i eth1 -j MINIUPNPD",
"echo 1 > /proc/sys/net/ipv4/ip_forward", "echo 1 > /proc/sys/net/ipv4/ip_forward",
"miniupnpd -f ${miniupnpdConf nodes}" "miniupnpd -f ${miniupnpdConf nodes}"
); );

4
nixos/tests/containers.nix
View File

@ -17,6 +17,8 @@
config = config =
{ services.httpd.enable = true; { services.httpd.enable = true;
services.httpd.adminAddr = "foo@example.org"; services.httpd.adminAddr = "foo@example.org";
networking.firewall.allowedTCPPorts = [ 80 ];
networking.firewall.allowPing = true;
}; };
}; };
@ -65,7 +67,7 @@
$machine->succeed("nixos-container start $id1"); $machine->succeed("nixos-container start $id1");
# Execute commands via the root shell. # Execute commands via the root shell.
$machine->succeed("echo uname | nixos-container root-shell $id1") =~ /Linux/; $machine->succeed("nixos-container run $id1 -- uname") =~ /Linux/;
$machine->succeed("nixos-container set-root-password $id1 foobar"); $machine->succeed("nixos-container set-root-password $id1 foobar");
# Destroy the containers. # Destroy the containers.

3
nixos/tests/firewall.nix
View File

@ -17,6 +17,7 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
{ services.httpd.enable = true; { services.httpd.enable = true;
services.httpd.adminAddr = "foo@example.org"; services.httpd.adminAddr = "foo@example.org";
networking.firewall.enable = false;
}; };
}; };
@ -33,7 +34,7 @@
$walled->succeed("curl -v http://localhost/ >&2"); $walled->succeed("curl -v http://localhost/ >&2");
# Connections to the firewalled machine should fail. # Connections to the firewalled machine should fail.
$attacker->fail("curl -v http://walled/ >&2"); $attacker->fail("curl --fail --connect-timeout 2 http://walled/ >&2");
$attacker->fail("ping -c 1 walled >&2"); $attacker->fail("ping -c 1 walled >&2");
# Outgoing connections/pings should still work. # Outgoing connections/pings should still work.

2
nixos/tests/installer.nix
View File

@ -79,6 +79,8 @@ let
virtualisation.writableStore = true; virtualisation.writableStore = true;
virtualisation.pathsInNixDB = channelContents ++ [ pkgs.hello.src ]; virtualisation.pathsInNixDB = channelContents ++ [ pkgs.hello.src ];
virtualisation.memorySize = 768; virtualisation.memorySize = 768;
networking.firewall.allowedTCPPorts = [ 80 ];
}; };
channelContents = [ pkgs.rlwrap ]; channelContents = [ pkgs.rlwrap ];

1
nixos/tests/ipv6.nix
View File

@ -12,6 +12,7 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
{ services.httpd.enable = true; { services.httpd.enable = true;
services.httpd.adminAddr = "foo@example.org"; services.httpd.adminAddr = "foo@example.org";
networking.firewall.allowedTCPPorts = [ 80 ];
}; };
router = router =

14
nixos/tests/jenkins.nix
View File

@ -3,21 +3,27 @@
# 2. jenkins user can be extended on both master and slave # 2. jenkins user can be extended on both master and slave
# 3. jenkins service not started on slave node # 3. jenkins service not started on slave node
{ pkgs, ... }: { pkgs, ... }:
{ {
nodes = { nodes = {
master = { pkgs, config, ... }: {
services.jenkins.enable = true; master =
{ config, pkgs, ... }:
{ services.jenkins.enable = true;
# should have no effect # should have no effect
services.jenkinsSlave.enable = true; services.jenkinsSlave.enable = true;
users.extraUsers.jenkins.extraGroups = [ "users" ]; users.extraUsers.jenkins.extraGroups = [ "users" ];
}; };
slave = { pkgs, config, ... }: {
services.jenkinsSlave.enable = true; slave =
{ config, pkgs, ... }:
{ services.jenkinsSlave.enable = true;
users.extraUsers.jenkins.extraGroups = [ "users" ]; users.extraUsers.jenkins.extraGroups = [ "users" ];
}; };
}; };
testScript = '' testScript = ''

1
nixos/tests/mumble.nix
View File

@ -11,6 +11,7 @@ in
server = { config, pkgs, ... }: { server = { config, pkgs, ... }: {
services.murmur.enable = true; services.murmur.enable = true;
services.murmur.registerName = "NixOS tests"; services.murmur.registerName = "NixOS tests";
networking.firewall.allowedTCPPorts = [ config.services.murmur.port ];
}; };
client1 = client; client1 = client;

9
nixos/tests/mysql-replication.nix
View File

@ -15,10 +15,11 @@ in
services.mysql.replication.role = "master"; services.mysql.replication.role = "master";
services.mysql.initialDatabases = [ { name = "testdb"; schema = ./testdb.sql; } ]; services.mysql.initialDatabases = [ { name = "testdb"; schema = ./testdb.sql; } ];
services.mysql.initialScript = pkgs.writeText "initmysql" services.mysql.initialScript = pkgs.writeText "initmysql"
'' ''
create user '${replicateUser}'@'%' identified by '${replicatePassword}'; create user '${replicateUser}'@'%' identified by '${replicatePassword}';
grant replication slave on *.* to '${replicateUser}'@'%'; grant replication slave on *.* to '${replicateUser}'@'%';
''; '';
networking.firewall.allowedTCPPorts = [ 3306 ];
}; };
slave1 = slave1 =

3
nixos/tests/nat.nix
View File

@ -12,6 +12,7 @@
{ client = { client =
{ config, pkgs, nodes, ... }: { config, pkgs, nodes, ... }:
{ virtualisation.vlans = [ 1 ]; { virtualisation.vlans = [ 1 ];
networking.firewall.allowPing = true;
networking.defaultGateway = networking.defaultGateway =
nodes.router.config.networking.interfaces.eth2.ipAddress; nodes.router.config.networking.interfaces.eth2.ipAddress;
}; };
@ -19,6 +20,7 @@
router = router =
{ config, pkgs, ... }: { config, pkgs, ... }:
{ virtualisation.vlans = [ 2 1 ]; { virtualisation.vlans = [ 2 1 ];
networking.firewall.allowPing = true;
networking.nat.enable = true; networking.nat.enable = true;
networking.nat.internalIPs = [ "192.168.1.0/24" ]; networking.nat.internalIPs = [ "192.168.1.0/24" ];
networking.nat.externalInterface = "eth1"; networking.nat.externalInterface = "eth1";
@ -27,6 +29,7 @@
server = server =
{ config, pkgs, ... }: { config, pkgs, ... }:
{ virtualisation.vlans = [ 2 ]; { virtualisation.vlans = [ 2 ];
networking.firewall.enable = false;
services.httpd.enable = true; services.httpd.enable = true;
services.httpd.adminAddr = "foo@example.org"; services.httpd.adminAddr = "foo@example.org";
services.vsftpd.enable = true; services.vsftpd.enable = true;

2
nixos/tests/nfs.nix
View File

@ -13,6 +13,7 @@ let
options = "vers=${toString version}"; options = "vers=${toString version}";
} }
]; ];
networking.firewall.enable = false; # FIXME: only open statd
}; };
in in
@ -31,6 +32,7 @@ in
/data 192.168.1.0/255.255.255.0(rw,no_root_squash,no_subtree_check,fsid=0) /data 192.168.1.0/255.255.255.0(rw,no_root_squash,no_subtree_check,fsid=0)
''; '';
services.nfs.server.createMountPoints = true; services.nfs.server.createMountPoints = true;
networking.firewall.enable = false; # FIXME: figure out what ports need to be allowed
}; };
}; };

3
nixos/tests/printing.nix
View File

@ -17,6 +17,7 @@
Allow from all Allow from all
</Location> </Location>
''; '';
networking.firewall.allowedTCPPorts = [ 631 ];
}; };
client = client =
@ -37,7 +38,7 @@
$client->succeed("lpstat -H") =~ "/var/run/cups/cups.sock" or die; $client->succeed("lpstat -H") =~ "/var/run/cups/cups.sock" or die;
$client->succeed("curl --fail http://localhost:631/"); $client->succeed("curl --fail http://localhost:631/");
$client->succeed("curl --fail http://server:631/"); $client->succeed("curl --fail http://server:631/");
$server->fail("curl --fail http://client:631/"); $server->fail("curl --fail --connect-timeout 2 http://client:631/");
# Add a HP Deskjet printer connected via USB to the server. # Add a HP Deskjet printer connected via USB to the server.
$server->succeed("lpadmin -p DeskjetLocal -v usb://HP/Deskjet%205400%20series?serial=TH93I152S123XY -m 'drv:///sample.drv/deskjet.ppd' -E"); $server->succeed("lpadmin -p DeskjetLocal -v usb://HP/Deskjet%205400%20series?serial=TH93I152S123XY -m 'drv:///sample.drv/deskjet.ppd' -E");

11
nixos/tests/proxy.nix
View File

@ -5,12 +5,10 @@ let
backend = backend =
{ config, pkgs, ... }: { config, pkgs, ... }:
{ { services.httpd.enable = true;
services.openssh.enable = true;
services.httpd.enable = true;
services.httpd.adminAddr = "foo@example.org"; services.httpd.adminAddr = "foo@example.org";
services.httpd.documentRoot = "${pkgs.valgrind}/share/doc/valgrind/html"; services.httpd.documentRoot = "${pkgs.valgrind}/share/doc/valgrind/html";
networking.firewall.allowedTCPPorts = [ 80 ];
}; };
in in
@ -21,8 +19,7 @@ in
{ proxy = { proxy =
{ config, pkgs, nodes, ... }: { config, pkgs, nodes, ... }:
{ { services.httpd.enable = true;
services.httpd.enable = true;
services.httpd.adminAddr = "bar@example.org"; services.httpd.adminAddr = "bar@example.org";
services.httpd.extraModules = ["proxy_balancer"]; services.httpd.extraModules = ["proxy_balancer"];
@ -50,6 +47,8 @@ in
# For testing; don't want to wait forever for dead backend servers. # For testing; don't want to wait forever for dead backend servers.
ProxyTimeout 5 ProxyTimeout 5
''; '';
networking.firewall.allowedTCPPorts = [ 80 ];
}; };
backend1 = backend; backend1 = backend;

1
nixos/tests/quake3.nix
View File

@ -37,6 +37,7 @@ rec {
"'+map q3dm7' '+addbot grunt' '+addbot daemia' 2> /tmp/log"; "'+map q3dm7' '+addbot grunt' '+addbot daemia' 2> /tmp/log";
}; };
nixpkgs.config.packageOverrides = overrides; nixpkgs.config.packageOverrides = overrides;
networking.firewall.allowedUDPPorts = [ 27960 ];
}; };
client1 = client; client1 = client;

9
nixos/tests/tomcat.nix
View File

@ -5,13 +5,12 @@
server = server =
{ pkgs, config, ... }: { pkgs, config, ... }:
{ { services.tomcat.enable = true;
services.tomcat.enable = true;
services.httpd.enable = true; services.httpd.enable = true;
services.httpd.adminAddr = "foo@bar.com"; services.httpd.adminAddr = "foo@bar.com";
services.httpd.extraSubservices = [ services.httpd.extraSubservices =
{ serviceType = "tomcat-connector"; } [ { serviceType = "tomcat-connector"; } ];
]; networking.firewall.allowedTCPPorts = [ 80 ];
}; };
client = { }; client = { };